Wso2 is integration with .net core
Download as PPTX, PDF0 likes806 views
The document outlines the integration of WSO2 Identity Server with a .NET Core application, detailing a demo app for note-taking that employs OAuth2 and OpenID Connect for secure user authentication. It explains the roles of various participants in the OAuth2 flow, different types of client applications, and the various authorization flows available. Additionally, it discusses token types, claims, and scopes, along with guidelines for token validation and security measures like PKCE to prevent attacks.
Wso2 is integration with .net core
- 1. WSO2 - IDENTITY SERVER Integration with .NET Core ENG. Ahmed Abouelenein 15 Dec-2021
- 2. Notes Demo App • Demo Web Application to add your notes • Plans • Free Add Notes By Title & Details • Sliver Categorized Notes • Gold Fancy Color • Users authenticated By WSO2 • Client : ASP.NET Core MVC Web Application • API : ASP.NET Core Web API • https://github.com/ahmedabouelenein/Notes
- 3. OAuth2 • OAuth2 is open protocol to allow secure authorization in simple and standard method from web , mobile and desktop applications • OAuth for authorization used for issuing and validating access tokens on the internet • WSO2 implement OAuth2 standard like other Identity providers (Identity server , Ping , Trustbuilder , Azure AD …)
- 4. OpenID Connect • OpenID Connect is simple identity layer on top of OAuth2 protocol • OpenID Connect extend OAuth2 • Used for verifying the identity of end user based on authentication performed by authorization server • OpenID Connect fills the OAuth2.0 gap which is intended to provide authorization but not authentication
- 5. OAuth2 Participants • Resource Owner • The identity who own the data • Grants access to protected resources • Client Application • App that makes protected resource resquests on behalf of the resource owner and with its authorization • Authorization Server • Server issuing access tokens to the clients • Authenticates the resource owner and obtains authorization • Resource Server • Server that hosts protected resources • Handle protected resource requests using access tokens
- 6. Public and Confidential Clients • Confidential Client : • Capable of maintaining the confidentiality of their credentials eg ( client ID, Client Secret ) • Live on server • Server side web apps (MVC web Application) • Public client • Incapable of maintaining their credentials client ID , client secrets • Live on user device ( web browser , mobile device ..) • Javascript applications and mobile applications
- 7. Authorization Code flow • Flow determine how code and / or token(s) are returned to the client • How communication between IDP and Client • Depend on Application Type (public or confidential) we must use different flow • Flow types • Implicit flow • Hybrid flow • Resource owner (Password credential ) flow • Client credential flow
- 8. Authorization endpoint • Used by client application to obtain authentication and /or authorization via redirection • Identity Provider Level
- 9. Redirection endpoint • Used by IDP to return code & token(s) to the client application • Client Level
- 10. Token endpoint • Used by client application to request tokens (without redirection) from the IDP • IDP Level • Communication Types: • Front Channel Communication Browser URL or Form POST • Back Channel Communication Server to Server communication (Token end point)
- 12. Authorization Code flow With PKCE • Authorization code flow is vulnerable to injection attacks • Attacker can use code to get token and has all privilages of the victim • PKCE (Proof Key for Code Exchange)
- 13. Authorization Code flow With PKCE
- 14. Tokens • Types • Identity Token (proves that the user has been authenticated) • Access Token (allows the client application to access the user's resource) • Refresh Token (offline access) • Format • JWT Token (self hosting web token) • Reference Token
- 15. Claims and Scopes • Claims is a name value pair that represents what the subject is • Scopes are used to request specific sets of claims. • OpenId scope is mandatory scope to specify that OpenID Connect should be used.
- 17. Other endpoints • UserInfo Endpoint • Introspect Endpoint
- 18. Token Validation • Check that the JWT is well formed. • Check the signature. • Check the standard claims. • Verify token audience claims
- 19. Q & A